The proliferation of viruses and worms plagues all computer users from the home consumer to the large enterprise. Once a machine (e.g., a computer system) is compromised by a worm, the worm attempts to propagate across one or more networks to which the compromised machine is coupled. Many worm attacks attempt to propagate by looking for specific vulnerabilities on other machines on the network(s). Regardless of the vulnerability being exploited, the worm attacks share a common trait of propagation across all networks. That is, the worm attempts to propagate on all available network connections, or all network connections “visible” to the worm.
Traditional approaches to contain worms involve the use of virus detection software to detect the arrival of the worm in the infected machine. As long as the virus detection software is operational, and is capable of detecting the worm (e.g., there is a known or expected signature the software can look for), the virus detection software generally provides reasonable protection against the worms. The detection of the worms can be performed on request (e.g., a scheduled event or a scan triggered by a user, a program, or an external entity), or can be employed with heuristic analysis of all traffic that is sent over a network interface. The analysis of all traffic sent to the network interface is intrusive, and may significantly impact the network performance of the platform being protected with the analysis. For server platforms, where performance of the network interfaces is often critical, the intrusive analysis may be unacceptable. In particular, servers utilizing virtualization technology may also utilize directed input/output (I/O), which bypasses scanning mechanisms that perform intrusive traffic analysis. In such scenarios, the traffic analysis may be completely averted, and thus provide no protective benefit to the server. The tradeoff between the performance cost of intrusion detection and the risk of infection may favor opting out of intrusion detection.